Four Round Secure Computation without Setup

Transcription

1 Four Round Secure Computation without Setup Zvika Brakerski 1, and Shai Halevi 2, and Antigoni Polychroniadou 3, 1 Weizmann Institute of Science zvika.brakerski@weizmann.ac.il 2 IBM shaih@alum.mit.edu 3 Cornell Tech antigoni@cornell.edu Abstract. We construct a 4-round multi-party computation protocol in the plain model for any functionality, secure against a malicious adversary. Our protocol relies on the sub-exponential hardness of the Learning with Errors (LWE) problem with slightly super-polynomial noise ratio, and on the existence of adaptively secure commitments. Lin, Pass and Soni (FOCS 17) provide an adaptively secure commitment scheme from Time-Lock Puzzles. Our round complexity matches a lower bound of Garg et al. (EUROCRYPT 16), and outperforms the state of the art of 6 rounds based on similar assumptions to ours, and 5 rounds relying on indistinguishability obfuscation and other strong assumptions. To do this, we construct an LWE based multi-key FHE scheme with a very simple one-round distributed setup procedure (vs. the trusted setup required in previous LWE based constructions). This lets us construct the first 3-round semi-malicious MPC protocol without setup from standard LWE using the approach of Mukherjee and Wichs (EUROCRYPT 16). Finally, subexponential hardness and adaptive commitments are used to compile the protocol into the fully malicious setting. Keywords: LWE, Multi-key FHE, MPC, Round Complexity. Supported by the Israel Science Foundation (Grant No. 468/14) and Binational Science Foundation (Grants No , ) and ERC Project REACT. Supported by the Defense Advanced Research Projects Agency (DARPA) and Army Research Office (ARO) under Contract No. W911NF-15-C Supported by the National Science Foundation under Grant No , IBM under Agreement , the Packard Foundation under Grant , and the Danish National Research Foundation and the National Science Foundation of China (under the grant ) for the Sino-Danish Center for the Theory of Interactive Computation. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the sponsors.

2 1 Introduction Secure Multi-party Computation (MPC) allows mutually suspicious parties to evaluate a function on their joint private inputs without revealing these inputs to each other. One fruitful line of investigation is concerned with the round complexity of these protocols. More specifically, we consider a model where at each round, each party is allowed to broadcast a message to everyone else. We allow the adversary to be malicious and corrupt any fraction of the parties. If a Common Random String (CRS) is allowed, then two rounds are necessary and sufficient for secure multi-party protocols under plausible cryptographic assumptions [GGHR14,MW16]. Without relying on trusted setup, it was still known that constant round protocols are possible [BMR90], but the exact round complexity remained open. A lower bound in the simultaneous message model was established in the recent work of Garg et al. [GMPP16], who proved that four rounds are necessary. They also showed how to perform multi-party coin flipping in four rounds, which can then be used to generate a CRS and execute the aforementioned protocols in the CRS model. That technique implied a five-round protocol based on 3-round 3-robust non-malleable commitments 4 and indistinguishability obfuscation, and a 6-round protocol based on 3-round 3-robust non-malleable commitments and LWE. For the important special case of only two parties, it is known that two message protocols with sequential rounds, i.e. each party talks in turn, are necessary and sufficient in the CRS model [JS07,HK07] and five message protocols are necessary and sufficient without setup [KO04,ORS15]. Our Results. Our work addresses the following fundamental question: Can we obtain round-optimal multi-party computation protocols without setup? We answer this question in the affirmative, obtaining a round-optimal multiparty computation protocol in the plain model for general functionalities in the presence of a malicious adversary. Informally, we prove the following: Theorem 1 (Informal) Assuming the existence of adaptive commitments, as well as the sub-exponential hardness of Learning-with-Errors, there exists a fourround protocol that securely realizes any multi-party functionality against a malicious adversary in the plain model without setup. Instantiations of adaptive commitments. We use a two-round adaptively secure (CCA) commitment scheme as constructed by Lin, Pass and Soni [LPS17, Theorem 3] based on time-lock puzzles, collision-resistant hash functions, noninteractive commitments and ZAPs, all with subexponential-security. Prior to 4 Such commitments can be instantiated from one-way permutations secure w.r.t. sub-exponential time adversaries [COSV16]. 2

3 the work of [LPS17], Pandey, Pass and, Vaikuntanathan [PPV08] provided a two-round adaptively secure commitment scheme using Naor s protocol [Nao91] with adaptive PRGs - a non-standard assumption. The authors in [GMPP16] also instantiate their protocols based on the commitment of [PPV08]. That said, the protocols in [GMPP16] can be based on the recent commitment of [LPS17]. To establish our result, we depart from the coin flipping approach of [GMPP16] and instead rely on a new generalized notion of multi-key fully homomorphic encryption [LTV12] which we show how to construct based on the hardness of LWE. In a nutshell, whereas prior LWE based constructions required trusted setup (essentially a CRS) [CM15,MW16,BP16,PS16], we show that the setup procedure can be distributed. Each party only needs to broadcast a random string 5, and generate its public key based on the collection of strings by all other parties. We show that the resulting scheme is secure even when some of the broadcast strings are adversarial (and even when the adversary is rushing). Similarly to Mukherjee and Wichs [MW16], we can transform our multi-key FHE into an MPC protocol in the semi-malicious model (where the adversary is only allowed to corrupt parties in a way that is consistent with some random tape). Our protocol requires 3 rounds without setup (vs. 2 rounds in the CRS model), and only requires polynomial hardness of LWE with slightly super polynomial noise ratio. Informally, we establish the following theorem: Theorem 2 (Informal) Assuming hardness of Learning-with-Errors with superpolynomial noise ratio, there exists a three-round protocol that securely realizes any multi-party functionality against a rushing semi-malicious adversary in the plain model without setup. Concurrent work. In a concurrent and independent work, Ananth, Choudhuri, and Jain construct a maliciously-secure 4-round MPC protocol based on one-way permutations and sub-exponential hardness of DDH [ACJ17]. Their approach is very different from ours, they construct and use a robust semi-honest MPC protocol from DDH, while our main building block is an LWE-based 3- round protocol secure against semi-malicious adversaries. Related work on LWE-based MPC protocols. Asharov et al. [AJL + 12] first show a three-round multi-party computation protocol in the CRS model and a two-round multi-party computation protocol in the reusable public-key infrastructure setup model based on LWE. The work of Mukherjee and Wichs [MW16], and its extensions [BP16,PS16], based on multi-key FHE [LTV12,CM15], shows how to obtain optimal two-round constructions based on LWE and NIZKs in the CRS model. See Chapter 3 of [Pol16] for related work of MPC protocols based on different assumptions both in the CRS and plain model. 5 Essentially its public matrix for a dual-regev encryption scheme [Reg09,GPV08]. 3

4 2 Overview of our Protocol Our starting point is the multi-key FHE approach to MPC, first introduced by [LTV12]. As explained above, it was shown in [MW16] that the Clear-McGoldrick scheme [CM15] implies a two-round protocol in the semi-malicious setting in the CRS model under LWE. Furthermore, using NIZK it is possible to also achieve fully malicious security. Constructing a multi-key FHE without setup and with the necessary properties for compiling it into an MPC protocol is still an open problem, but we show that the trusted setup can be replaced by a distributed process which only adds a single round to the MPC protocol. While our final solution is quite simple, it relies on a number of insights as to the construction and use of multi-key FHE. 1. While the schemes in [GSW13,CM15,MW16] rely on primal Regev-style LWE-based encryption as a basis for their FHE scheme, it is also possible to instantiate them based on the dual-regev scheme [GPV08] (with asymptotically similar performance). However, the same form of CRS is required for this instantiation as well, so at first glance it does not seem to offer any advantages. 2. The multi-key FHE schemes of [CM15,MW16] are presented as requiring trusted setup, but a deeper look reveals that this trusted setup is only needed to ensure a single property, related to the functionality: In LWE based encryption (Regev or dual-regev) the public key contains a matrix A and a vector t A (possibly with some additional noise, depending on the flavour of the scheme) where t is the secret key. In order to allow multi-key homomorphism between parties that each have their own A i, t i, it is only required that the values b i,j = t i A j for all i, j, are known to all participating parties (up to small noise). The use of CRS in previous works comes in setting all A i to be the same matrix A, which is taken from the CRS, and thus the public key b i t i A i = t i A is the only required information. 3. Lastly, we notice that dual-regev with the appropriate parameters is leakage resilient [DGK + 10]. This means that so long as a party honestly generates its t i and A i, it can expose arbitrary (length-bounded) information on t i without compromising the security of its own ciphertexts. Combining this with the above, we can afford to expose all b i,j = t i A j without creating a security concern (for appropriate setting of the parameters). Putting the above observations together, we present a multi-key FHE scheme with a distributed setup, in which each party generates a piece of the common setup, namely the matrix A i. After this step, each party can generate a public key pk i containing all vectors b i,j, the respective secret key is the vector t i. Given all pk i and the matrices A i, it is possible to perform multi-key homomorphism in a very similar manner to [CM15,MW16]. The 3-round semi-malicious protocol is therefore as follows. Round 1: Distributed Setup. Every player P i broadcasts a random matrix A i of the appropriate dimension. 4

5 Round 2: Encryption. Each party generates a public/secret key-pair for the multi-key FHE, encrypts its input under these keys, and broadcasts the public key and ciphertext. Round 3: Partial Decryption. Each party separately evaluates the function on the encrypted inputs, then use its secret key to compute a decryption share of the resulting evaluated ciphertext and broadcasts that share to everyone. Epilogue: Output. Once all the decryption shares are received, each party can combine them to get the function value, which is the output of the protocol. This skeleton protocol can be shown to be secure in the semi-malicious adversary model, but it is clearly insecure in the presence of a malicious adversary. Although the protocol can tolerate adversarial choice of the first-round matrices A i, the adversary can still violate privacy by sending invalid ciphertexts in Round 2 and observing the partial decryption that the honest players send in the next round. It can also violate correctness by sending the wrong decryption shares in the last round. These two attacks can be countered by having the parties prove that they behaved correctly, namely that the public keys and ciphertexts in Round 2 were generated honestly, and that the decryption shares in Round 3 were obtained by faithful decryption. To be effective we need the proof of correct encryption to complete before the parties send their decryption shares (and of course the proof of correct decryption must be completed before the output can be produced). Hence, if we have a k-round input-delayed proof of correct encryption (and a (k+ 1)-round input-delayed proof of correct decryption) then we get a (k + 1)-round protocol overall. Much of the technical difficulties to achieve malicious security in the current work are related to using 3-round proofs of correct encryptions, resulting in a 4-round protocol. 2.1 The Maliciously-Secure Protocol Our maliciously-secure protocol builds on the above 3-round semi-malicious protocol, and in addition it uses a two-round adaptive commitment protocol acom = (acom 1, acom 2 ), a three-round delayed-input proof of correct encryption Π WIPOK = (p 1, p 2, p 3 ), and a four-round delayed-input proof of correct decryption Π FS = (fs 1, fs 2, fs 3, fs 4 ). (The names Π WIPOK and Π FS are meant to hint on the implementation of these proofs, see more discussion in the next subsection.) Round 1: Distributed Setup, commitment & proof. Every party i broadcasts its setup matrix A i. It also broadcasts the first message acom 1 of the adaptive commitment for its randomness and input, the first message p 1 of the proof of correct encryption, and the first message fs 1 of the proof of correct decryption (both proofs with respect to the committed values). Round 2: Continued commitment & proofs. Each party broadcasts acom 2, p 2, fs 2. 5

6 Round 3: Encryption & proofs. The parties collect all the first round matrices A i and run the key-generation and encryption procedures of the multikey FHE. Then, each party broadcasts its public key and encrypted input. In the same round, each party also broadcasts messages p 3, fs 3. Round 4: Verification & decryption. Each party runs the verifier algorithm for the Π WIPOK proof of correct encryption, verifying all the instances. If all of them passed then it evaluates the function on the encrypted inputs, then uses its secret key to compute a decryption share of the resulting evaluated ciphertext, and broadcasts that share to everyone. It also broadcasts the message fs 4 of the proof of correct decryption. Epilogue: Verification & output. Once all the decryption shares and proofs are received, each party runs the verifier algorithm for the Π FS proof of correct decryption, again verifying all the instances. If all of them passed then it combines all the decryption shares to get the function value, which is the output of the protocol. If any of the messages is missing or mal-formed, or if any of the verification algorithms fail, then the parties are instructed to immediately abort with no output. As explained in the next section, subtle technicalities arise in the security proof that lead to an extended version of the above protocol description. 2.2 A Tale of Malleability and Extraction To prove security of our protocol, we must exhibit a simulator that can somehow extract the inputs of the adversary, so that it can send these inputs to the trusted party in order to get the function output. To that end we make the three-round proof of correct encryption a Proof of Knowledge (POK), and let the simulator use the knowledge extractor to get these adversarial inputs. At the same time, we must ensure that this proof of knowledge is nonmalleable, so that the extracted adversarial inputs do not change between the real protocol (in which the honest parties prove knowledge of their true input) and the simulated protocol (in which the simulator generates proofs for the honest players without knowing their true inputs). A few subtle technicalities are discussed below. Two-round commitment with straight-line extraction. The main technical tool that we use in our proofs is two-round adaptive commitments, that the parties use to commit to their inputs and randomness. Commitments in this scheme are marked by tags, and the scheme has the remarkable property of adaptive security: Namely, commitments with one tag are secure even in the presence of an oracle that breaks commitments for all other tags. Some hybrid games in our proof of security are therefore staged in a mentalexperiment game where such a breaking oracle exists, providing us with straightline (rewinding-free) extraction of the values that the adversary commits to, while keeping the honest-party commitments secret. Looking ahead, straight-line 6

7 extraction is used in some of our hybrids to fake the (WIPOK) zero knowledge proofs. However, we also need our other primitives (MFHE, POK, etc.) to remain secure in the presence of a breaking oracle, and we use complexity leveraging for that purpose: We assume that these primitives are sub-exponentially secure, and set their parameters much larger that those of the commitment scheme. This way, all these primitives remain secure even against sub-exponential time adversaries that can break the commitment by brute force. When arguing the indistinguishability of two hybrids, we reduce to the sub-exponential security of these primitives and use brute force to implement the breaking oracle in those hybrids. 6 Delayed-input proofs. In the three-round proofs for correct encryption and in the four-round proofs for correct decryption, the statement to be proved is not defined until just before the last round of the protocols. We therefore need to use delayed-input proofs that can handle this case and squeeze rounds in order to achieve a four round protocol. Fake proofs via Feige-Shamir. The simulator needs to fake the four-round proof of correct decryption on behalf of the correct parties, as it derives their decryption shares from the function output that it gets from the trusted party. For this purpose we use a Feige-Shamir-type four-round proof [FS90], which has a trapdoor that we extract and can be used to fake these proofs. WI-POK with a trapdoor. Some steps in our proof have hybrid games in which the commitment contains the honest parties true inputs while the encryption contains zeros. In such hybrids, the statement that the values committed to are consistent with the encryption is not true, so we need to fake that three-round proof as well. For that purpose we use another Feige-Shamir-type trapdoor as follows: Each party chooses a random string R, encloses ˆR = OW F (R) with its first-flow message, encloses R inside the commitment acom (together with its input and randomness) and adds the statement ˆR = OW F (R) to the list of things that it proves in the 3-round POK protocol. In addition, the parties execute a second commitment protocol bcom (which is normally used to commit to zero in the real protocol), and we modify the POK statement to say that EITHER the original statement is true, OR the value committed in that second commitment bcom is a pre-image of the ˆR value sent by the verifier in the first round. Letting the POK protocol be witnessindistinguishable (WI-POK), we then extract the R value from the adversary (in some hybrids), let the challenger commit to that value in the second commitment bcom, and use it as a trapdoor to fake the proof in the POK protocol. 6 Technically we only need to assume standard security in a world with such a breaking oracle, which is a weaker assumption than full sub-exponential security. 7

8 We note that the second commitment bcom need not be non-malleable or adaptive, but it does need to remain secure in the presence of a breaking oracle for the first commitment. Since we already assume a 2-round adaptive commitment acom, then we use the same scheme also for this second commitment, and appeal to its adaptive security to argue that the second commitment remains secure in the presence of a breaking oracle for the first commitment. Public-coin proofs. In the multi-party setting, the adversary may choose to fail the proofs with some honest parties and succeed with others. We thus need to specify what honest parties do in case one of the proofs fail. The easiest solution is to use public-coin proofs with perfect completeness, and have the parties broadcast their proofs and verify them all (not only the ones where they chose the challenge). This way we ensure that if one honest party fails the proof, then all of them do. 2.3 Roadmap In Part I we provide our 3-round semi-malicious protocol based on multi-key FHE. In Part II we compile our 3-round semi-malicious protocol to a 4-round fully maliciously-secure protocol. We conclude in Section 7 with open problems. 8

9 Part I 3-Round Semi-Malicious Protocols 3 LWE-Based Multi-Key FHE with Distributed Setup Notations. Throughout the text we denote the security parameter by κ. A function µ : N N is negligible if for every positive polynomial p( ) and all sufficiently large κ s it holds that µ(κ) < 1 p(κ). We often use [n] to denote the set {1,..., n}. Let d D denote the process of sampling d from the distribution D or, if D is a set, a uniform choice from it. For two distributions D 1 and D 2, we use D 1 s D 2 to denote that they are statistically close (up to negligible distance), D 1 c D 2 denotes computational indistinguishability, and D 1 D 2 denotes identical distributions.

10 3.1 Definitions An encryption scheme is multi-key homomorphic if it can evaluate circuits on ciphertexts that are encrypted under different keys. Decrypting an evaluated ciphertext requires the secret keys of all the ciphertexts that were included in the computation. In more detail, a multi-key homomorphic encryption scheme (with trusted setup) consists of five procedures, MFHE = (MFHE.Setup, MFHE.Keygen, MFHE.Encrypt, MFHE.Decrypt, MFHE.Eval): Setup params MFHE.Setup(1 κ ): On input the security parameter κ the setup algorithm outputs the system parameters params. Key Generation (pk, sk) MFHE.Keygen(params): On input params the key generation algorithm outputs a public/secret key pair (pk, sk). Encryption c MFHE.Encrypt(pk, x): On input pk and a plaintext message x {0, 1} output a fresh ciphertext c. (We assume for convenience that the ciphertext includes also the respective public key.) Evaluation ĉ := MFHE.Eval(params; C; (c 1,..., c l )): On input a (description of a) Boolean circuit C and a sequence of l fresh ciphertexts (c 1,..., c l ), output an evaluated ciphertext ĉ. (Here we assume that the evaluated ciphertext includes also all the public keys from the c i s.) Decryption x := MFHE.Decrypt((sk 1,..., sk N ), ĉ): On input an evaluated ciphertext c (with N public keys) and the corresponding N secret keys (sk 1,..., sk N ), output the message x {0, 1}. The scheme is correct if for every circuit C on N inputs and any input sequence x 1,..., x N for C, we set params MFHE.Setup(1 κ ) and then generate N key-pairs and N ciphertexts (pk i, sk i ) MFHE.Keygen(params) and c i MFHE.Encrypt(pk i, x i ), then we get MFHE.Decrypt ( (sk 1,..., sk N ), MFHE.Eval(params; C; (c 1,..., c N )) ) = C(x 1,..., x N )] except with negligible probability (in κ) taken over the randomness of all these algorithms. 7 Local decryption and simulated shares. A special property that we need of the multi-key FHE schemes from [CM15,MW16], is that the decryption procedure consists of a local partial-decryption procedure ev i MFHE.PartDec(ĉ, sk i ) that only takes one of the secret keys and outputs a partial decryption share, and a public combination procedure that takes these partial shares and outputs the plaintext, x MFHE.FinDec(ev 1,..., ev N, ĉ). Another property of these schemes that we need is the ability to simulate the decryption shares. Specifically, there exists a P P T simulator S T, that gets for input: the evaluated ciphertext ĉ, 7 We often consider a slightly weaker notion of homomorphism, where the Setup algorithm gets also a depth-bound d and correctness is then defined only relative to circuits of depth upto d. 10

11 the output plaintext x := MFHE.Decrypt((sk 1,..., sk N ), ĉ), a subset I [N], and all secret keys except the one for I, {sk j } j [N]\I. The simulator produces as output simulated partial evaluation decryption shares: {ẽv i } i I S T (x, ĉ, I, {sk j } j [N]\I ). We want the simulated shares to be statistically close to the shares produced by the local partial decryption procedures using the keys {sk i } i I, even conditioned on all the inputs of S T. We say that a scheme is simulatable if it has local decryption and a simulator as described here. As in [MW16], in our case too we only achieve simulatability of the basic scheme when all parties but one are corrupted (i.e., when the set I is a singleton). Distributed setup The variant that we need for our protocol does not require the setup procedure to be run by a trusted entity, but rather it is run in a distributed manner by all parties in the protocol. In our definition we allow the setup to depend on the maximum number of users N. This restriction does not pose a problem for our application. Distributed Setup params i MFHE.DistSetup(1 κ, 1 N, i): On input the security parameter κ and number of users N, outputs the system parameters for the i-th player params i. The remaining functions have the same functionality as above, where params = {params i } i [N], the key generation takes i as an additional parameter in order to specify which entry in params it refers to. Semantic security and simulatability Semantic security for multi-key FHE is defined as the usual notion of semantic security. For the distributed setup variant, we require that semantic security for the i-th party holds even when all {params j } j [N]\{i} are generated adversarially and possibly depending on params i. Namely, we consider a rushing adversary that chooses N and i [N], then it sees params i and produces params j for all j [N] \ {i}. After this setup, the adversary is engaged in the usual semantic-security game, where it is given the public key, chooses two messages and is given the encryption of one of them, and it needs to guess which one was encrypted. Simulatability of the decryption shares is defined as before, but now the evaluated ciphertext is produced by the honest party interacting with the same rushing adversary (and statistical closeness holds even conditioned on everything that the adversary sees). 11

12 3.2 A Dual LWE-Based Multi-Key FHE with Distributed Setup For our protocol we use an adaptation of the dual of the multi-key FHE scheme from [CM15,MW16]. Just like the primal version, our scheme uses the GSW FHE scheme [GSW13], and its security is based on the hardness of LWE. Recall that the LWE problem is parametrized by integers n, m, q (with m > n log q) and a distribution χ over Z that produces whp integers much smaller than q. The LWE assumption says that given a random matrix A Z n m q, the distribution sa + e with random s Z n q and e χ m is indistinguishable from uniform in Z m q. For the dual GSW scheme below, we use parameters n < m < w < q with m > n log q and w > m log q, and two error distributions χ, χ with χ producing much larger errors than χ (but still much smaller than q). Specifically, consider the distribution χ = {a {0, 1} m, b χ m, c χ, output c a, b }. (1) We need the condition that the statistical distance between χ and χ is negligible (in the security parameter n). This condition holds, for example, if χ, χ are discrete Gaussian distributions around zero with parameters p, p, respectively, such that p /p is super-polynomial (in n). Distributed Setup params i MFHE.DistSetup(1 κ, 1 N, i): Set the parameters q = poly(n)n ω(1) (as needed for FHE correctness), m > (Nn+1) log q+ 2κ, and w = m log q. 8 Sample and output a random matrix A i Z q (m 1) n. Key Generation (pk i, sk i ) MFHE.Keygen(params, i): Recall that params = {params i } i [N] = {A i } i [N]. The public key of party i is a sequence of vectors pk i = {b i,j } j [N] to be formally defined below. The corresponding secret key is a low-norm vector t i Z m q. ( ) Aj We will define b i,j, t i such that for B i,j = it holds that t b i B i,j = i,j b i,i b i,j (mod q) for all j. In more detail, sample a random binary vector s i {0, 1} m 1, we set b i,j = s i A j mod q. Denoting t i = (s i, 1), we indeed have t i B i,j = b i,i b i,j (mod q). Encryption C MFHE.Encrypt(pk i, µ): To encrypt a bit µ under the public key pk i, choose a random matrix R Zq n w and a low-norm error matrix E Z m w q, and set C := B i,i R + E + µg mod q, (2) where G is a fixed m-by-w gadget matrix (whose structure is not important for us here, cf. [MP12]). Furthermore, as in [CM15,MW16], encrypt all bits of R in a similar manner. For our protocol, we use more error for the last row of the error matrix E than for the top m 1 rows. Namely, we choose Ê χ (m 1) w and e χ w and set E = ( Ê e 8 Parmeters q, n, w are global and fixed once at the onset of the protocol. ). 12

13 Decryption µ := MFHE.Decrypt((sk 1,..., sk N ), C): The invariant satisfied by ciphertexts in this scheme, similarly to GSW, is that an encryption of a bit µ relative to secret key t is a matrix C that satisfies tc = µ tg + e (mod q) (3) for a low-norm error vector e, where G is the same gadget matrix. The vector t is the concatenation of all sk i = t i for all parties i participating in the evaluation. This invariant holds for freshly encrypted ciphertexts since t i B i,i = 0 (mod q), and so t i (B i,i R + E + µg) = µ t i G + t i E (mod q), where e = t i E has low norm (as both t i and E have low norm). To decrypt, the secret-key holders compute u = t C mod q, outputting 1 if the result is closer to tg or 0 if the result is closer to 0. Evaluation C := MFHE.Eval(params; C; (c 1,..., c l )): Since ciphertexts satisfy the same invariant as in the original GSW scheme, then the homomorphic operations in GSW work just as well for this dual variant. Similarly the ciphertext-extension technique from [CM15,MW16] works also for this variant exactly as it does for the primal scheme (see below). Hence we get a multi-key FHE scheme. Security Security with distributed setup follows from LWE so long as (m 1) > (Nn + 1) log q + 2κ. The basis for security is the following lemma, which is essentially the same argument from [DGK + 10] showing that dual Regev is leakage resilient for bounded leakage. Lemma 1. Let A i Z q (m 1) n be uniform, and let A j for all j i be chosen by a rushing adversary after seeing A i. Let s i {0, 1} m 1 and b i,j = s i A j. Let r Z n q be uniform, e χ m 1, e χ. Then, under the LWE assumption, the vector c = A i r + e and number c = b i,i r + e are (jointly) pseudorandom, even given the b i,j s for all j [N] and the view of the adversary that generated the A j s. Proof: Consider the distribution of c, c as in the lemma statement. We notice that c = b i,i r +e = s i A i r +e = s i c s i e+e. The proof proceeds by a sequence of hybrids. Our first hybrid changes the distribution of c to c = s i c + e. Noting that c s i c is drawn from χ before the change and from χ after the change (cf. Eqn. (1)), we get that the statistical distance between the hybrids is negligible. In the next hybrid, we use LWE to replace c with a uniform vector. Since c could have been sampled before s i or any of the A j with j i, LWE implies indistinguishability with the previous hybrid. Finally, we apply the leftover hash lemma, noting that all the b i,j s only leak at most Nn log q bits of information on s i and therefore the average min-entropy of s i is at least (m 1) Nn log q > log q + 2κ. Using the leftover hash lemma with c as seed and s i as source, we have that (c, s i c) are jointly statistically 13

14 indistinguishable from uniform. This implies that (c, c ) are jointly statistically indistinguishable from uniform, even given all A j, b i,j for all j [N]. The lemma follows. Applying this lemma repeatedly for every column via a hybrid argument shows that the ciphertext components c = A i R + Ê and c = b i,i R + e are also jointly pseudorandom, even given the view of the adversary, and semantic security of the scheme follows. Multi-key Homomorphism and Simulatability The other components of the multi-key FHE scheme from [CM15,MW16] work for our variant as well, simply because the encryption and decryption formulas are identical (except with slightly different parameter setting), namely Equations (2) and (3). Below we briefly sketch these components for the sake of self-containment. The ciphertext-expansion procedure. The gadget matrix G used for these schemes has the property that there exists a low-norm vector u such that Gu = (0, 0,..., 0, 1). Therefore, for every secret key t = (s 1) we have tgu = 1 (mod q). It follows that if C is an encryption of µ wrt secret key t = (s 1), then the vector v = Cu satisfies t, v = tcu = (µtg + e)u = µtgu + e, u = µ + ɛ (mod q) where ɛ is a small integer. In other words, given an encryption of µ wrt t we can construct a vector v such that t, v µ (mod q). Let A 1, A 2 be public parameters for two users with secret ( keys t 1 ) = (s( 1 1), t 2 ) = (s 2 1), and recall Ai Ai that we denote b i,j = s i A j and B i,i = =. s ia i b i,i Let C = B 1,1 R+E+µG be fresh encryption of µ w.r.t B 1,1, and suppose that we also have an encryption under t 1 of the matrix R. We note that given any vector δ, we can apply homomorphic operations to the encryption of R to get an encryption of the entries of the vector ρ = ρ(δ) = δr. Then, using the technique above, we can compute for every entry ρ i a vector x i such that t 1, x i ρ i (mod q). Concatenating all these vectors we get a matrix X = X(δ) such that t 1 X ρ = δr (mod q). ( ) We consider the matrix C C X =, where X = X(δ) for a δ to be 0 C determined later. We claim that for an appropriate δ this is an encryption of the same plaintext µ under the concatenated secret key t = (t 1 t 2 ). To see this, notice that (( ) ) A1 t 2 C = (s 2 1) R + E + µg (b s 1 A 2,1 b 1,1 )R + µt 2 G 1 (mod q), 14

15 and therefore setting δ = b 1,1 b 2,1, which is a value that can be computed from pk 1, pk 2 we get t C = (t 1 C t 1 X + t 2 C) (µt 1 G (b 1,1 b 2,1 )R + (b 2,1 b 1,1 )R + µt 2 G) ( ) G = µ(t 1 G t 2 G) = µ(t 1 t 2 ), G as needed. As in the schemes from [CM15,MW16], this technique can be generalized to extend the ciphertext C into an encryption of the same plaintext µ under the concatenation of any number of keys. Partial decryption and Simulatability. This aspect works exactly as in [MW16, Thm 5.6]. Let v be a fixed low-norm vector satisfying Gv = (0, 0,..., 0, q/2 ) (mod q) (such a vector exists). Let C be an encryption of a bit µ relative to the concatenated secret key t = (t 1 t 2... t N ) (whose last entry is 1). Then on one hand C satisfies Eqn. (3) so we have tcv = µ }{{} tgv + e, v }{{} µ q/2 = q/2 =ɛ, ɛ q (mod q). On the other hand, breaking C into N bands of m rows each (i.e, C = (C1 T C2 T... CN T )T with each C i Z m mn q ), we have tcv = N i=1 t ic i v. Hence in principle we could set the partial decryption procedure as ev i = MFHE.PartDec(C, t i ) := t i C i v mod q, and the combination procedure will just add all these ev i s and output 0 if it is smaller than q/4 in magnitude and 1 otherwise. To be able to simulate (when there are N 1 corruptions), we need the partial decryption to add its own noise, large enough to drown the noise in tcv (but small enough so decryption still works). Given the ciphertext C, N 1 keys t j for all j [N] \ {i}, and the plaintext bit µ, the simulator will sample its own noise e and output the share ev i = µ q/2 + e j t jc j v mod q. 4 A Semi-Malicious Protocol without Setup The semi-malicious adversary model [AJL + 12] is a useful mid-point between the semi-honest and fully-malicious models. Somewhat similarly to a semi-honest adversary, a semi-malicious adversary is restricted to run the prescribed protocol, but differently than the semi-honest model it can choose the randomness that this protocol expects arbitrarily and adaptively (as opposed to just choosing it at random). Namely, at any point in the protocol, there must exists a choice of inputs and randomness that completely explain the messages sent by the adversary, but these inputs and randomness can be arbitrarily chosen by the adversary itself. A somewhat subtle point is that the adversary must always know the inputs and randomness that explain its actions (i.e., the model requires the adversary to explicitly output these before any messages that it sends). 15

16 We still assume a rushing adversary that can choose its messages after seeing the messages of the honest parties (subject to the constraint above). Similarly to the malicious model, an adversarial party can abort the computation at any point. Security is defined in the usual way, by requiring that a real-model execution is simulatable by an adversary/simulator in the ideal model, cf. Definition 7 in Section A Semi-Malicious Protocol from Multi-Key FHE with Distributed Setup Our construction of 3-round semi-malicious protocol without setup is nearly identical to the Mukherjee-Wichs construction with a common reference string [MW16, Sec. 6], except that we use multi-key FHE with distributed setup, instead of their multi-key FHE with trusted setup. We briefly describe this construction here for the sake of self-containment. To compute an N-party function F : ({0, 1} ) N {0, 1} on input vector w, the parties first run the setup round and broadcast their local parameters params i. Setting params = (params 1,..., params N ), each party runs the key generation to get (pk i, sk i ) MFHE.Keygen(params, i) and then the encryption algorithm c i MFHE.Encrypt(pk i, w i ), and broadcasts (pk i, c i ). Once the parties have all the public keys and ciphertexts, they each evaluate homomorphically the function F and all get the same evaluated ciphertext ĉ. Each party applies its partial decryption procedure to get ev i MFHE.PartDec(ĉ, sk i ) and broadcasts its decryption share ev i to everyone. Finally, given all the shares ev i, every party runs the combination procedure and outputs µ MFHE.FinDec(ev 1,..., ev N, ĉ). Security. Security is argued exactly as in [MW16, Thm. 6.1]: First we use the simulatability property to replace the partial decryption by the honest parties by a simulated partial decryption (cf. [MW16, Lem. 6.2]), and once the keys of the honest parties are no longer needed we can appeal to the semantic security of the FHE scheme (cf. [MW16, Lem. 6.3]). Exactly as in the Mukherjee-Wichs construction, here too the underlying multi-key scheme only satisfies simulatability when all but one of the parties are corrupted, and as a result also the protocol above is only secure against adversaries that corrupt all but one of the parties. Mukherjee and Wichs described in [MW16, Sec. 6.2] a transformation from a protocol secure against exactly N 1 corruptions to one which is secure against any number of corruptions. Their transformation is generic and can be applied also in our context, resulting in a semi-malicious-secure protocol. 16

17 Part II 4-Round Malicious Protocols 5 Tools and Definitions We use tools of commitment and proofs to compile our semi-malicious protocol to a protocol secure in the malicious model. Below we define these tools and review the properties that we rely on.

18 5.1 Commitment Schemes Commitment schemes allow a committer C to commit itself to a value while keeping it (temporarily) secret from the receiver R. Later the commitment can be opened, allowing the receiver to see the committed value and check that it is consistent with the earlier commitment. In this work, we consider commitment schemes that are statistically binding. This means that even an unbounded cheating committer cannot create a commitment that can be opened in two different ways. We also use tag-based commitment, which means that in addition to the secret committed value there is also a public tag associated with the commitment. The notion of hiding that we use is adaptive-security (due to Pandey et al. [PPV08]): it roughly means that the committed value relative to some tag is hidden, even in a world that the receiver has access to an oracle that breaks the commitment relative to any other tag. Definition 1 (Adaptively-secure Commitment[PPV08]) A tag-based commitment scheme (C, R) is statistically binding and adaptively hiding if it satisfies the following properties: Statistical binding: For any (computationally unbounded) cheating committer C and auxiliary input z, it holds that the probability, after the commitment stage, that there exist two executions of the opening stage in which the receiver outputs two different values (other than ), is negligible. Adaptive hiding: For every cheating PPT receiver R and every tag value tag, it holds that the following ensembles are computationally indistinguishable. {view R (tag),b tag acom (m 1, z)} κ N,m1,m 2 {0,1} κ,z {0,1} {view R (tag),b tag acom (m 2, z)} κ N,m1,m 2 {0,1} κ,z {0,1} where view R (tag),b tag acom (m, z) denotes the random variable describing the output of R (tag) after receiving a commitment to m relative to tag using acom, while interacting with a commitment-breaking oracle B tag. The oracle B tag gets as input an alleged view v and tag tag. If tag tag and v is a valid transcript of a commitment to some value m relative to tag, then B tag returns that value m. (If there is no such value, or if tag = tag, then B tag returns. If there is more than one possible value m then B tag returns an arbitrary one.) To set up some notations, for a two-message commitment we let acom 1 = acom tag (r) and acom 2 = acom tag (m; acom 1 ; r ) denote the two messages of the protocol, the first depending only on the randomness of the receiver and the second depending on the message to be committed, the first-round message from the receiver, and the randomness of the sender. 5.2 Proof Systems Given a pair of interactive Turing machines, P and V, we denote by P (w), V (x) the random variable representing the (local) output of V, on common input x, when interacting with machine P with private input w, when the random input to each machine is uniformly and independently chosen. 18

19 Definition 2 (Interactive Proof System) A pair of interactive machines P, V is called an interactive proof system for a language L if there is a negligible function µ( ) such that the following two conditions hold: Completeness: For every x L, and every w R L (x), Pr[ P (w), V (x) = 1] = 1. Soundness: For every x / L, and every P, Pr[ P, V (x) = 1] µ(κ) In case the soundness condition is required to hold only with respect to a computationally bounded prover, the pair P, V is called an interactive argument system. Definition 3 (ZK) Let L be a language in N P, R L a witness relation for L, (P, V ) an interactive proof (argument) system for L. We say that (P, V ) is statistical/computational ZK, if for every probabilistic polynomial-time interactive machine V there exists a probabilistic algorithm S whose expected running-time is polynomial in the length of its first input, such that the following ensembles are statistically close/computationally indistinguishable over L. { P (y), V (z) (x)} κ N x {0,1} κ L,y R L (x),z {0,1} {S(x, z)} κ N x {0,1}κ L,y R L (x),z {0,1} where P (y), V (z) (x) denotes the view of V in interaction with P on common input x and private inputs y and z, respectively. Definition 4 (Witness-indistinguishability) Let P, V be an interactive proof (or argument) system for a language L N P. We say that P, V is witness-indistinguishable for R L, if for every probabilistic polynomialtime interactive machine V and for every two sequences {wκ,x} 1 κ N,x L and {wκ,x} 2 κ N,x L, such that wκ,x, 1 wκ,x 2 R L (x) for every x L {0, 1} κ, the following probability ensembles are computationally indistinguishable over κ N. { P (w 1 κ,x), V (z) (x)} κ N x {0,1} κ L,z {0,1} { P (w 2 κ,x), V (z) (x)} κ N x {0,1}κ L,z {0,1} Definition 5 (Proof of knowledge) Let (P, V ) be an interactive proof system for the language L. We say that (P, V ) is a proof of knowledge for the witness relation R L for the language L it there exists an probabilistic expected polynomialtime machine E, called the extractor, and a negligible function µ( ) such that for every machine P, every statement x {0, 1} κ, every random tape x {0, 1}, and every auxiliary input z {0, 1}, P r[ P r (z), V (x) = 1] P r[e P r (x,z) (x) R L (x)] + µ(κ) An interactive argument system P, V is an argument of knowledge if the above condition holds w.r.t. probabilistic polynomial-time provers. 19

20 Delayed-Input Witness Indistinguishability. The notion of delayed-input Witness Indistinguishability formalizes security of the prover with respect to an adversarial verifier that adaptively chooses the input statement to the proof system in the last round. Once we consider such adaptive instance selection, we also need to specify where the witnesses come from; to make the definition as general as possible, we consider an arbitrary (potentially unbounded) witness selecting machine that receives as input the views of all parties and outputs a witness w for any statement x requested by the adversary. In particular, this machine is a (randomized) Turing machine that runs in exponential time, and on input a statement x and the current view of all parties, picks a witness w R L (x) as the private input of the prover. Let P, V be a 3-round Witness Indistinguishable proof system for a language L N P with witness relation R L. Denote the messages exchanged by (p 1, p 2, p 3 ) where p i denotes the message in the i-th round. For a delayed-input 3-round Witness Indistinguishable proof system, we consider the game ExpAWI between a challenger C and an adversary A in which the instance x is chosen by A after seeing the first message of the protocol played by the challenger. Then, the challenger receives as local input two witnesses w 0 and w 1 for x chosen adaptively by a witness-selecting machine. The challenger then continues the game by randomly selecting one of the two witnesses and by computing the third message by running the prover s algorithm on input the instance x, the selected witness w b and the challenge received from the adversary in the second round. The adversary wins the game if he can guess which of the two witnesses was used by the challenger. Definition 6 (Delayed-Input Witness Indistinguishability) Let ExpAWI A P,V be a delayed-input WI experiment parametrized by a P P T adversary A and an delayed-input 3-round Witness Indistinguishable proof system P, V for a language L N P with witness relation R L. The experiment has as input the security parameter κ and auxiliary information aux for A. The experiment ExpAWI proceeds as follows: ExpAWI A P,V (κ, aux): Round-1: The challenger C randomly selects coin tosses r and runs P on input (1 κ ; r) to obtain the first message p 1 ; Round-2: A on input p 1 and aux chooses an instance x and a challenge p 2. The witness-selecting machine on inputs the statement x and the current view of all parties outputs witnesses w 0 and w 1 such that (x, w 0 ), (x, w 1 ) R L. A outputs x, w 0, w 1, p 2 and internal state state; Round-3: C randomly selects b {0, 1} and runs P on input (x, w b, p 2 ) to obtain p 3 ; b A((p 1, p 2, p 3 ), aux, state); If b = b then output 1 else output 0. A 3-round Witness Indistinguishable proof system for a language L N P with witness relation R L is delayed-input if for any P P T adversary A there exists a negligible function µ( ) such that for any aux {0, 1} it holds that P r[expawi A P,V (κ, aux) = 1] 1/2 µ(κ) 20

21 The most recent 3-round delayed-input WI proof system appeared in [COSV16]. Feige-Shamir ZK Proof Systems. For our construction we use the 3-round, public-coin, input-delayed witness-indistinguishable proof-of-knowledge Π WIPOK based on the work of Feige, Lapidot, Shamir [FLS99], and the 4-round zeroknowledge argument-of-knowledge protocol of Feige and Shamir Π FS [FS90]. Recall that the Feige-Shamir protocol consists of two executions of a WIPOK protocol in reverse directions. The first execution has the verifier prove something about a secret that it chooses, and the second execution has the prover proving that either the input statement is true or the prover knows the verifier s secret. The zero-knowledge simulator then uses the knowledge extraction to extract the secret of the verifier, making it possible to complete the proof. 5.3 Secure Computation The security of a protocol is analyzed by comparing what an adversary can do in the protocol to what it can do in an ideal model. A protocol is secure if any adversary interacting in the real protocol can do no more harm than if it was involved in this ideal computation. Execution in the ideal model. In the ideal model we have an incorruptible trusted party to whom the parties send their inputs. The trusted party computes the functionality on the inputs and returns to each party its respective output. Even this model is not completely ideal, however, since some malicious behavior that cannot be prevented (such as early aborting) is permitted here too. An ideal execution proceeds as follows: Inputs: Each party obtains an input, denoted by w. Send inputs to trusted party: An honest party always sends w to the trusted party. A malicious party may, depending on w, either abort or send some w {0, 1} w to the trusted party. Trusted party answers malicious parties: The trusted party realizing the functionality F = (F M, F H ) is informed of the set of malicious parties M, and let us denote the complementing set of honest parties by H. Once it received all the inputs, the trusted party first replies to the malicious parties with F M (w). Trusted party answers second party: The malicious parties reply to the trusted party by either proceed or abort. If they all reply proceed then the trusted party sends F H (w) to the honest parties. If any of them reply abort then the trusted party sends to the honest parties. Outputs: An honest party always outputs the message it received from the trusted party. A malicious party may output an arbitrary (probabilistic polynomial-time computable) function of its initial input and the message received from the trusted party. 21

22 The random variable containing the joint outputs of the honest and malicious parties in this execution (including an identification of the set M of malicious parties) is denoted by IDEAL F,S (κ, w), where κ is the security parameter, S is representing parties in the ideal model and w are the inputs. Execution in the real model. In the real model,where there is no trusted party, a malicious party may follow an arbitrary feasible strategy; that is, any strategy implementable by (non-uniform) probabilistic polynomial-time machines. In particular, the malicious party may abort the execution at any point in time (and when this happens prematurely, the other party is left with no output). The (static) adversary chooses the set M of malicious parties before it receives any inputs to the protocol, and it can be rushing, in that in every communication round it first sees the messages from the honest parties and only then chooses the messages on behalf of the malicious parties. Let F : ({0, 1} ) N ({0, 1} ) N be an N-party function, let Π be an N- party protocol for computing F, and let A be an adversary. The joint execution of Π with adversary A in the real model, denoted REAL Π,A (κ, w) (with κ the security parameter and w the inputs), is defined as the output of the honest and malicious parties (and an identification of the set M of malicious parties), resulting from the protocol interaction. Definition 7 (secure MPC) Let F and Π be as above. Protocol Π is said to securely compute F (in the malicious model) if for every (non-uniform) probabilistic polynomial-time adversary A for the real model, there exists a (nonuniform) probabilistic expected polynomial-time adversary S for the ideal model, such that: {IDEAL F,S (κ, w)} κ N,w ({0,1} ) N c {REALΠ,A (κ, w)} κ N,w ({0,1} ) N. Notations. For a sub-protocol π between two parties P i and P j, denote by (p i,j 1,..., p i,j t ) the view of the messages in all t rounds where the subscripts (i, j) denote that the first message of the sub-protocol is sent by P i to P j. Likewise, subscripts (j, i) denote that the first message of the sub-protocol is sent by P j to P i. 6 A Malicious Protocol without Setup Our 4-round protocol for the malicious case is obtained by compiling the 3- round semi-malicious protocol from Section 4, adding round-efficient proofs of correct behavior. The components of this protocol are: The 3-round semi-malicious protocol from Section 4, based on the dual -GSW-based multi-key FHE scheme with distributed setup. We denote this multi-key FHE scheme by MFHE = (MFHE.DistSetup, MFHE.Keygen, MFHE.Encrypt, MFHE.Eval, MFHE.PartDec, MFHE.FinDec). 22

23 Two instances of a two-round adaptively secure commitment scheme, supporting tags/identities of length κ. We denote the first instance by acom = (acom 1, acom 2 ) and the second by bcom = (bcom 1, bcom 2 ). A one-way function OW F. A three-round public coin witness-indistinguishable proof of knowledge with delayed input, Π WIPOK = (p 1, p 2, p 3 ), for the N P-Language L WIPOK P from Figure 2. We often refer to this protocol as proof of correct encryption, but what it really proves is that EITHER the encryption is consistent with the values committed in acom, OR the value committed in bcom is a preimage under OW F of values sent by the other parties. A four-round zero-knowledge argument of knowledge with delayed input, Π FS = (fs 1, fs 2, fs 3, fs 4 ), for the N P-Language L FS P from Figure 2. We often refer to this protocol as proof of correct decryption. The parameters for the MFHE scheme, the OW F, and the two proof systems, are chosen polynomially larger than those for the commitment schemes. Hence (assuming sub-exponential security), all these constructions remain secure even against an adversary that can break acom, bcom by exhaustive search. The protocol. Let F : ({0, 1} ) N {0, 1} be a deterministic N-party function to be computed. Each party P i holds input x i {0, 1} κ and identity id i. 9 The protocol consists of four broadcast rounds, where messages (m 1 t,..., m N t ) are exchanged simultaneously in the t-th round for t [4]. The message flow is detailed in Figure 1, and Figure 3 depicts the exchanged messages between two parties P i and P j. Blue messages are sub-protocols where party P i is the prover/committer and party P j is the verifier/receiver, red messages denote the opposite. 9 Known transformations yield also protocols for randomized functionalities without increasing the rounds, see [Gol04, Section 7.3]. 23

24 Protocol Π MPC Private Inputs: For i [N], party P i has input x i. Round 1: For i [N] each party P i proceeds as follows: 1. Choose randomness r i = (r gen i, ri enc ) for the MFHE scheme. 2. Choose an unrelated κ-bit randomness value R i, and set ˆR i = OW F (R i). 3. For every j, engage in a two-round commitment protocol with P j for the values (x i, r i, R i), using an instance of acom with tag id i. Note that the first message in this protocol is sent by P j (so P i sends the first message to all the P j s for their respective commitments). Denote the messages initiated in each sub-protocol by P i to P j by acom i,j For every j, prepare the first message p i,j 1 of Π WIPOK (acting as the Prover) for the N P- Language L WIPOK P i = L i,j,1 L i,j,2 for j [N] \ {i} and the first message fs i,j 1 of Π FS (acting as the Verifier) for L FS P j = (L j,i,1 L j,i,3) where the N P-Languages L i,j,1,l i,j,2,l i,j,3 are defined in Figure Run the distributed setup of MFHE to get params ( i = MFHE.DistSetup(1 κ, 1 N, i). 6. For all j( i) broadcast the message m i,j 1 := acom i,j 1, pi,j 1, fsi,j 1, ˆR ) i, params i to party P j. Round 2: For i [N] each party P i proceeds as follows: 1. Generate the second commitment messages acom j,i 2 for acom idi (x i, r i, R i), the second message p j,i 2 of the ΠWIPOK proof system, and the second message fsj,i 2 of the ΠFS proof system. 2. For every j, engage in a two-round commitment protocol with P j for the value 0, using an instance of bcom with tag id i. As before, P i sends the first message to all the P j s for their respective commitments, and we denote the message sent from P i to P j by bcom i,j For all j broadcast the messages m i,j 2 := (acom j,i 2, pj,i 2, fsj,i 2, bcomi,j 1 ). Round 3: For i [N] each party P i proceeds as follows: 1. Generate the second messages bcom j,i 2 corresponding to all bcom idi (0), the final message p i,j 3 of the Π WIPOK protocol, and the third message fs i,j 3 of Π FS. 2. Set params = {params i } i [N]. Use randomness r gen i, ri enc to generate a key pair for MFHE, (pk i, sk i) MFHE.Keygen(params, i), and an encryption of the private input c i = MFHE.Encrypt(pk i, x i). 3. For all j broadcast the message m i,j 3 := (pk i, c i, p i,j 3, fsi,j 3, bcomj,i 2 ). Round 4: If any p j,i does not pass verification then abort. Otherwise each party P i proceeds as follows: 1. Compute the evaluated ciphertext ĉ := MFHE.Eval(params; F ; (c 1,..., c N )), and the decryption shares ev i MFHE.PartDec(ĉ, (pk 1,..., pk N ), i, sk i). 2. Prepare the final message fs j,i 4 of Π FS protocol. 3. For all j, broadcast the message m i,j 4 := (ev i, fs j,i 4 ). Output phase: If any fs i,j does not pass verification then abort. Else run the combining algorithm on the decryption shares, and output y MFHE.FinDec(ev 1,..., ev N, ĉ). Fig. 1. Protocol Π MPC with respect to party P i. 24

25 N P-Language L WIPOK P i and L FS P i for Π FS and Π WIPOK proof systems where P i acts as the prover: Fix the identities id i, and then for all i, j define: (x i, r gen i, ri enc, sk i, R i, ω i) : ˆR i, ˆR j, acom j,i 1, bcomj,i 1 acom j,i 2 = acom idi (x i, r gen i, ri enc, R i; acom j,i 1 ; ω i) L i,j,1 = params,, pk i, c i, ĉ, acom j,i 2, ˆR i = OW F (R i) bcomj,i 2 (sk i, pk i ) = MFHE.Keygen(params, i; r gen i ) c i = MFHE.Encrypt(pk i, x i; ri enc ) L i,j,2 = { ( ˆRi, ˆR j, acom j,i 1, bcomj,i 1 params, pk i, c i, ĉ, acom j,i 2, bcomj,i 2 ˆR i, ˆR j, acom j,i 1, bcomj,i 1 L i,j,3 = params, pk i, c i, ĉ, acom j,i 2, bcomj,i 2 We define L WIPOK P i ) } (R, ζ i) : ˆRj = OW F (R ) bcom j,i 2 = bcom idi (R ; bcom j,i 2 ; ζ i) (x i, r gen i, ri enc, sk i, R i, ω i) : = {L i,j,1 L i,j,2} j and L FS P i = {L i,j,3} j. acom j,i 2 = acom idi (x i, r gen i, ri enc, R i; acom j,i 1 ; ω i) (sk i, pk i ) = MFHE.Keygen(params; r gen i ) ev i = MFHE.PartDec(ĉ, i, sk i) Fig. 2. N P-Language L i,j,1,l i,j,2,l i,j,3 for Π FS and Π WIPOK proof systems. 6.1 Proof of Security Theorem 3 Assuming sub-exponential hardness of LWE, and the existence of an adaptively-secure commitment scheme, there exists a four-broadcast-round protocol for securely realizing any functionality against a malicious adversary in the plain model with no setup. To prove Theorem 3, we note that the two assumptions listed suffice for instantiating all the components of our protocol Π MPC : the commitment is used directly for acom and bcom, and sub-exponential LWE suffices for everything else. We also note that while we think of the protocol from Figure 1 as a compilation of the 3-round protocol from Section 4 using zero-knowledge proofs, it is not a generic compiler, as it relies on the specifics of our semi-malicious protocol. See more discussion in Section 7 below. In the following, we prove security of Π MPC by describing a simulator and proving that the simulated view is indistinguishable from the real one. Description of the Simulator Let P = {P 1,..., P N } be the set of parties, let A be a malicious, static adversary in the plain model, and let P P be the set of parties corrupted by A. We construct a simulator S (the ideal world adversary) with access to the ideal 25

26 Fig. 3. Messages exchanged between party P i and P j in Π MPC. (acom 1, acom 2 ) and (bcom 1, bcom 2 ) are commitments, (p 1, p 2, p 3 ) belong to the 3-round Π WIPOK, (fs 1, fs 2, fs 3, fs 4 ) belong to the 4-round Π FS, and (params, pk, c, ev) denote the MFHE messages. Blue messages are sub-protocols where party P i is the prover/committer and party P j is the verifier/receiver, red messages donete the opposite. functionality F, such that the ideal world experiment with S and F is indistinguishable from a real execution of Π MPC with A. The simulator S only generates messages on behalf of parties P\P, as follows: Round 1 Messages S A: In the first round, S generates messages on behalf of each honest party P h / P, as follows: 1. Choose randomness r h = (r gen h, renc h ) for the MFHE scheme and an unrelated κ-bit randomness value R h, and set ˆR h = OW F (R h ). 2. For every j engage in a two-round commitment protocol with P j. To this end, prepare the first message acom h,j 1 corresponding to the execution of acom idj (x j, r gen j, rj enc, R j ; ω j ) on behalf of P h, acting as the receiver of the commitment. Since the commitment acom is a two-round protocol, the message of the committer P j is only sent in the second round. 26